CVE-2026-12090 in Taskbuilder Plugin
Summary
by MITRE • 07/01/2026
The Taskbuilder – Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to generic SQL Injection via the 'wppm_proj_filter' parameter in all versions up to, and including, 5.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. No nonce verification is performed on the wp_ajax_wppm_view_project_tasks handler, meaning any authenticated session — including subscriber-level — can reach the vulnerable code path without any additional preconditions.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/01/2026
The vulnerability identified in the Taskbuilder WordPress plugin represents a critical generic SQL injection flaw that undermines database security through improper input validation and query construction practices. This weakness exists within the plugin's handling of the 'wppm_proj_filter' parameter, where user-supplied data flows directly into SQL queries without adequate sanitization or parameterization. The vulnerability affects all versions up to and including 508, making it a widespread concern for WordPress installations utilizing this project management tool. The flaw stems from insufficient escaping mechanisms that fail to neutralize malicious input before it reaches the database layer, creating an attack surface where authenticated users can manipulate existing SQL operations through crafted payloads.
The operational impact of this vulnerability extends beyond simple data extraction to encompass potential full database compromise and unauthorized access to sensitive information. Attackers with subscriber-level privileges or higher can exploit this weakness through the wp_ajax_wppm_view_project_tasks handler, which lacks nonce verification requirements that would normally protect against unauthorized requests. This absence of authentication verification means that any authenticated session within the WordPress environment can trigger the vulnerable code path without additional security barriers. The attack vector specifically targets the plugin's AJAX endpoint, allowing malicious actors to inject arbitrary SQL commands that can retrieve confidential data such as user credentials, project details, and other sensitive administrative information stored in the WordPress database.
Security implications of this vulnerability align with CWE-89 which categorizes improper neutralization of special elements used in SQL commands as a fundamental weakness in application security. The flaw also maps to ATT&CK technique T1071.004 for application layer protocol manipulation and T1566 for credential access through injection techniques. The lack of prepared statement usage or proper parameter binding in the plugin's SQL query construction represents a classic database injection vulnerability pattern that has been consistently documented across security frameworks and standards. Organizations running affected versions of this plugin face significant risk of data breaches, unauthorized access to project management systems, and potential lateral movement within compromised WordPress environments where attackers could leverage extracted credentials for further exploitation.
Mitigation strategies should prioritize immediate patching to version 509 or later where the SQL injection vulnerability has been addressed through proper input sanitization and parameterized query implementation. Administrators must ensure that all users with subscriber access or higher are properly monitored and that authentication mechanisms remain robust against unauthorized session usage. Network-level controls including web application firewalls and database query monitoring should be implemented to detect anomalous SQL patterns that might indicate exploitation attempts. Regular security auditing of WordPress plugins and themes remains essential for identifying similar vulnerabilities, while maintaining updated security practices such as principle of least privilege access controls and comprehensive backup procedures to ensure rapid recovery from potential compromise scenarios.